Talk:SC EEPROM: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
m (→‎Experimental table: Removed info about individual values temporally)
m (→‎Experimental table: Deleted round 1)
Line 76: Line 76:
= Experimental table =
= Experimental table =
The goal is to join together all the "memory map" info in a single table
The goal is to join together all the "memory map" info in a single table
{| class="wikitable" style="line-height:110%; font-size:90%"
|+ Round 1
! colspan="2" | Area !! colspan="4" | [[Syscon_Hardware|SPI / UART]] !! colspan="8" | [[LV2_Functions_and_Syscalls#process_socket_service_syscalls|Syscall 863]] !! rowspan="3" | Data Name !! rowspan="3" | Notes
|-
! rowspan="2" | Name !! rowspan="2" | Size !! colspan="2" | [[Mullion]] !! style="padding:1px" | [[Sherwood]] !! rowspan="2" style="padding:1px" | [[Syscon_Firmware#Command_list|EEP]]<br>whitelist !! rowspan="2" | [[SC_Communication#Syscon_Services|NVS]]<br>ID !! rowspan="2" style="padding:1px" | Block<br>ID !! colspan="2" style="padding:1px" | [[Update_Manager|UM]] whitelist !! colspan="2" style="padding:1px" | [[SC_Manager|SCM]] whitelist !! rowspan="2" | Offset !! rowspan="2" | Size
|-
! style="padding:1px" | [[Syscon_CXR713_Series|CXR713]] !! style="padding:1px" | [[Syscon_CXR714_Series|CXR714]] !! [[Syscon_SW_Series|SW]]/[[Syscon_SW2_Series|2]]/[[Syscon_SW3_Series|3]] !! style="padding:1px" | Read !! style="padding:1px" | Write !! style="padding:1px" | Read !! style="padding:1px" | Write
|-
! <span style="writing-mode:vertical-lr; transform:rotate(180deg);">Patch Part 1</span>
! 0x400
| 0x2800 || 0x2800 || ? || style="background:#CC5555; color:#FFFFFF; text-align:center;" | <abbr title="Locked by the patch. Unlocked by deleting the patch">No*</abbr> || {{cellcolors|lightgrey}} N/A || {{cellcolors|lightgrey}} N/A || {{no}} || {{no}} || {{no}} || {{no}} || 0x02800 || 0x400 || [[Syscon_Firmware#Syscon_patches|Syscon Firmware Patch]] (top half) ||
|-
! rowspan="6" | <span style="writing-mode:vertical-lr; transform:rotate(180deg);">OS Version Area<br>a.k.a.<br>Industry Area</span>
! rowspan="6" | 0x100
| rowspan="6" | 0x2F00 || rowspan="6" | 0x2F00 || rowspan="6" | 0xE00 || rowspan="6" {{yes}} || rowspan="6" | 0x20 || rowspan="6" | 0x10 || {{yes}} || {{no}} || {{yes}} || {{no}} || 0x02F00 || 0x08 || Manufacturing Update Release Version ||
|-
| {{yes}} || {{no}} || {{yes}} || {{no}} || 0x02F08 || 0x18 || Manufacturing Update Build Version + Build Date ||
|-
| {{yes}} || {{no}} || {{yes}} || {{no}} || 0x02F20 || 0x08 || Manufacturing Update Build Target ID ||
|-
| {{yes}} || {{no}} || {{yes}} || {{no}} || 0x02F28 || 0xD0 || {{cellcolors|#ff9999}} Undocumented ||
|-
| {{yes}} || {{no}} || {{yes}} || {{no}} || 0x02FF8 || 0x01 || Factory Bit ||
|-
| {{yes}} || {{no}} || {{yes}} || {{no}} || 0x02FF9 || 0x07 || {{cellcolors|#ff9999}} Undocumented ||
|}


{| class="wikitable" style="line-height:110%; font-size:85%"
{| class="wikitable" style="line-height:110%; font-size:85%"

Revision as of 18:47, 1 December 2021

Memory test diagnosis NVS flag

There is a NVS flag which enables a special diagnostic mode at startup. This flag is enabled on Proto/DECR. It allows memtest diagnose.

Pseudo-code: 

def check_bootrom_diag_mode(mode, param)
        diag_mode = get_eeprom_bootrom_diag()
        if diag_mode & 0x1:
                if diag_mode & 0x100:
                        return 0
                mode = (diag_mode >> 3) & 0x1
                param = (diag_mode >> 3) & 0x1
        else:
                mode = (diag_mode >> 1) & 0x1
                param = -1
        return 1

EEPROM Dumps

EEPROM Strings (CP memory dump, DECR)

http://pastie.org/private/usd2zi8mw3igycsh1a395q -> DEAD LINK

Bus Pirate stuff

http://i.imgur.com/48rbR51.png

(needs more wikifying)

On standby

  • Note: during this time the plaintext EEPROM is never read even once!
  • Additionally, the areas 0x26B0, 0x26D0 are not read
  • Checks status
  • Unlocks Write Command
  • Reads PATCH top half region
  • Reads PATCH bottom half region
  • Reads 0x2790?(0x20)
  • Reads 0x27B0?(0x10)
  • Reads 0x26D0 (0x10)
  • Reads some configs? (around >0x31XX area)
  • Reads 0x0 (0x10)
  • Reads some configs?
  • Reads 0x10(0x280) (EID1)?
  • Reads 0x3A00 (0x1)
  • Reads 0x290 (0x10) (EID1 CMAC?)
  • Reads 0x2A0 (0x20)
  • Reads 0x2C0 (0x20)
  • Reads 0x2E0 (0x20)
  • Writes some stuff to 0x2C0/0x2E0/0x2A0 (mostly ff's)
  • ReReads EID1 and CMAC
  • Reads 0x360
  • Reads 0x370
  • Writes (again) mostly ff's to 0x360 and 0x370
  • ReReads EID1 and CMAC
  • Does same process with 0x460 and 0x470
  • Reads 0x2710 and 0x2730 (0x20,0x10) ???
  • Reads 0x2700 (0x10)
  • fini!

MemoryMap Syscon BB Chip

0x1000-0x1FFF:PTCH Region (patch written here)

Nice read about Syscon EEPROM

http://rmscrypt.wordpress.com/2011/02/01/lets-look-at-syscon/

Experimental table

The goal is to join together all the "memory map" info in a single table

Round 2
Area SPI / UART Syscall 863 Data Name Notes
Name Size csum Mullion Sherwood whitelist Block ID
NVS Region		 whitelist Offset Size
CXR713 CXR714 SW/2/3(emu) EEP DM UM SCM
System Info 0x200 No 0x2600 0x2600 ? ? ? ? ? ? ? 0x200 Encrypted data at relative offset 0xB0
Patch 1 0x400 No 0x2800 0x2800 0x2000 ?  Exploit  N/A No No No 0x02800 0x400 Syscon Firmware Patch (top half) Encrypted data
- 0x300 No 0x2C00 0x2C00 N/A ? Yes ? N/A No No No 0x02C00 0x300 empty Region not used
Industry Area 0x100 No 0x2F00 0x2F00 0xE00 Yes 0x10  Patch  Yes Yes 0x02F00
Customer Service Area 0x100 No 0x3000 0x3000 0xF00 Yes 0x20 ? ? ? ? 0x100
Platform Config 0x100 Yes 0x3100 0x3100 ? Yes ? ? ? ? ? 0x100
Hardware Config 0x100 Yes 0x3200 0x3200 ? Yes ? ? ? ? ? 0x100
Thermal Config 0x200 Yes 0x3300 0x3300 0x250 Yes ? ? ? ? ? 0x200 Data table using this C structure See: Syscon Thermal Config
On/Off Count/Time 0x200 No 0x3500 0x3500 ? Yes ? ? ? ? ? 0x200 Data table
Error Log 0x100 No 0x3700 0x3700 0x900 Yes ? ? ? ? ? 0x100 Data table See: Syscon Error Codes
- 0x100 No 0x3800 0x3800 N/A ? Yes ? N/A No No No ? 0x100 empty Region not used
Board Config 0x100 Yes 0x3900 0x3900 ? Yes ? ? ? ? ? 0x100
HDMI/DVE Config 0x100 No 0x3A00 0x3A00 ? Yes ? ? ? ? ? 0x100
- 0x100 No 0x3B00 0x3B00 N/A ? Yes ? N/A No No No ? 0x100 empty Region not used
- 0x200 Yes 0x3C00 0x3C00 N/A ? Yes ? N/A No No No ? 0x200 empty Region not used
- 0x200 Yes 0x3E00 0x3E00 N/A ? Yes ? N/A No No No ? 0x200 empty Region not used
- 0x400 No 0x4000 0x7000 N/A ? Yes ? N/A No No No ? 0x400 empty Region not used
- 0xB00 No 0x4400 0x7400 N/A ? Yes ? N/A No No No ? 0xB00 empty Region not used
- 0x2000 No 0x5000 0x5000 N/A ? Yes ? N/A No No No ? 0x2000 empty Region not used
System Software Config 0x100 No 0x7000 0x4000 0x1000 Yes 0x0 ? ? ? ? 0x100
System Software Config 0x100 No 0x7100 0x4100 0x1100 Yes 0x1 ? ? ? ? 0x100
System Software Config
a.k.a.
Flags and Tokens 		0x100 No 0x7200 0x4200 0x1200 Yes 0x2  Patch  Yes Yes 0x48C00
System Software Config 0x100 No 0x7300 0x4300 0x1300 Yes 0x3 ? ? ? ? 0x100
Patch 2 0xC00 No 0x7400 0x4400 0x2400 ?  Exploit  N/A No No No ? ? Syscon Firmware Patch (bottom half) Encrypted data
Retrieved from "http://www.psdevwiki.com/ps3/index.php?title=Talk:SC_EEPROM&oldid=63542"